Security Audit Report for Ref Exchange


The core contracts covered in this audit include ref-exchange in the The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.

Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we identified several issues as well as security suggestions that should be considered. The Ref Finance team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.


In total, we find 4 potential issues in the smart contract. We also have 10 recommendations and 3 notes, as follows:

High Risk: 0
Medium Risk: 3
Low Risk: 1
Recommendation: 10
Note: 3
ID Severity Description Category Status
1 Medium Improper Account Unregistration Software Security Fixed
2 Medium Lack of Storage Usage Check in function ft_on_transfer Software Security Fixed
3 Low Unrestricted Referral Account DeFi Security Fixed
4 Medium Incorrect Admin Fees Calculation in Simple Pool DeFi Security Fixed
5 - Lack of Check on Guardians' Removal Recommendation Fixed
6 - Two-Step Transfer of Privileged Account Ownership Recommendation Confirmed
7 - Potential Elastic Supply Token Problem Recommendation Confirmed
8 - Improper Check on the Admin Fees Recommendation Fixed
9 - Lack of Check in retrieve_unmanaged_token() Recommendation Confirmed
10 - Lack of Check on the Gas Used by migrate() Recommendation Fixed
11 - Code Optimization (I) Recommendation Fixed
12 - Code Optimization (II) Recommendation Fixed
13 - Avoid Logging in View Functions Recommendation Fixed
14 - Slippage Protection in Function add_liquidity Recommendation Fixed*
15 - Delayed Price in Rated Swap Pool Note Confirmed
16 - Timely Triggering update_token_rate() Note Confirmed
17 - Sensitive Functions Managed by DAO Note Confirmed

More details are provided in the audit report.

Take the first step towards a secure future

Reach out now for BlockSec's expert code audit services, elevate the security of your protocol before it goes live!